 Good morning. Well, I know noon is DEF CON morning. So, good morning. How many of you guys are hungover? Raise your hand. Seriously? Only one? Maybe two? You guys are doing DEF CON wrong. Alright, wait, wait, wait. Another drunk. Another question. How many of you are still drunk? Alright. Not me. I actually got like six hours of sleep last night, which is fucking fantastic. Alright. So welcome to, so you think you want to be a penetration tester. My name is Anche. Long story, well short story but long story about my handle I'm not going to go into. There's some people that I want to introduce to. You'll notice there's some logos on my slide. I'm a member of a fantastic organization called the Security Tribe. These are guys are all smarter than I am and I'm super, super happy to be surrounded by very smart people. I also have my wife in the audience and she's a hacker like the rest of us even though she doesn't admit it. She hacks kids' brains. She's a university professor and she does a fantastic job. I have been a penetration tester for 10 years. I've led red teams for five of those 10 years and so I'm going to talk a little bit about what the job actually is like. Dispel some misconceptions that you guys know a little bit about what the realities are and such and such. Now I have a little thing on the bottom of this slide that says the leprechaun question mark. Now I requested in my CFP submittal that there would be a leprechaun dancing on stage while I was giving my talk and that didn't happen and I'm severely disappointed. Just kidding. All right. You'll notice my slides have a little bit of humor in them and I do that intentionally so feel free to laugh and you know it's designed to try to keep you awake. So let's talk a little bit about the wonderful world of penetration testing. You know this job is a tough one and I'm going to do a quick survey. How many in here are already penetration testers? Raise your hands. Okay. How many in here want a job in penetration testing? Raise your hands. Cool. All right. Now stand up if you think penetration testing has to do with porn. Nobody's standing up. You get into this job just for the title because it's fantastic at parties. People ask you what do you do? Well I'm a penetration tester and they give you this look of what the fuck is that? Yeah. I've had various answers from, oh, serious, like serious answers. Let me guess. You're the guy that tests the lighting in pornography, right? No. No. It's a fantastic title. It's fun. It's really cool to explain because people always ask you questions about it and I apologize. I'm getting over pneumonia so I'm going to cough a little bit. So let's talk a little bit about what my family thinks I do. My mom and dad seriously think that I'm some kind of super spy. I'm not kidding. Like, yeah, you travel all over the country and you break into shit and you're like James Bond. I'm like no, I'm not. It's actually really fucking boring. So I want to talk through some of the misconceptions and realities to kind of dispel some myths and some of you out here that are already penetration testers will laugh at these because they're pretty funny. I think I'm funny. Apparently there's a lot of people in here that need to get laid. Misconception number one, there will always be somebody more elite than you. We all have something to learn. There is nobody on this planet that is an expert at everything. And I talked a little bit earlier about surrounding yourself with some people that are smarter than you. And my team that I work with is super smart. All of these guys are just fucking geniuses. And it baffles me sometimes that they let me hang out with them. And this fucker down here, stand up Jeremy. He is the leprechaun that is supposed to be dancing. Catch my lucky charms, blow your ass to pieces. No. Yeah, you can sit. He is a member of my team. I'm pretty sure that there's more in here. I just can't see you. If you work with me, stand up. Really? I guess they don't really want me to hang out with them. That kind of sucks. Assholes. Seriously, there's always going to be somebody that is better than you at something else. And your job as a part of this job is to learn from them. You learn all you can because you're going to run into shit that you have no idea what it is. And if you can learn it the first time, the next time you run into it, you'll know how to deal with it. So misconception number one, you will never be the mostly guy in the room. Reality number two, if somebody told you this job is easy money, they're a fucking liar. We work, well, when we're on site, when we're actually doing an assessment, we work probably between eight to 10 hours a day. That's pretty easy. We travel 25% of the time and we have a good time while we're working. When we're not traveling, we're doing research. We're honing our skills. We're doing a lot of things that, excuse me, I'm sorry. We're doing things that make us better at our job. And that can take, oh, I don't know, it can take 15 hour days. It can take 10 hour days. You know, my wife puts up with me so well because she'll come home and I'm like, I'm still working. And she's like, but I thought we were going to have dinner. But yeah, we can eat at nine. So it's not an easy job. It's not something you can sit and do, you know, nothing. And then, you know, it's like, oh, what do you do? I surf the internet all day. Oh, yeah, I can do that. This is funny. Hold on a second. My mom bought me this shirt. And we were, we were out here on Friday, last Friday, a week from Friday, because we do in human reg and so we help prep con. And she panicked because she saw me check in in Vegas and she's like, but I had a shirt for you to wear at DEF CON. It says penetration on the front if you can't read it. And the back has a definition of penetration. And when your mother gives you a shirt that says penetration on it, it's kind of awkward. Not really. My wife just asked, do you want me to read the back? No. It's kind of awkward. All right. There's no bullshit in this job. And if you can't read the slide, it says just because I appear to believe your bullshit doesn't mean I'm as stupid as you think I am. I'm just laughing inside and waiting to see what you come up with. You can't fake it until you make it in this job. It doesn't work. You will crash and burn miserably. And unfortunately there's a lot of people that are trying to do that in this industry. And so I would encourage you if you really want to get in this job, have a passion for it. And we'll talk a little bit about what that passion entails here a little bit. I have seen a lot of bullshit in my time. I've seen a lot of people stand up and say, oh yeah, I can hack into anything. And when you ask them to prove it, they're like, oh wait, hacking into something is more than just pressing start on a Nessa scan. Yeah, it is. So there's no bullshit in this job. This is my favorite comment. Yes, you have to have experience to get experience. I'm not telling you that you have to be a penetration tester to be a penetration tester. I hire, I prefer that we hire sysadmins. It's easy for me to turn a sysadmin into a penetration tester. And that's because a sysadmin knows how to build something. And if you know how to build something, you can generally take it apart. And that's what we do. We take things apart. We try not to have missing pieces at the end. Where the fuck did this screw come from? But yeah, we take things apart. We analyze it. We look at it. And it's easy for me to take a sysadmin who knows how to put something together and teach them the skills that they need to be able to take things apart. I also look for an attitude. How many in here would consider themselves a hacker? Raise your hands. Every fucking one of you should be raising your hand right now. Let's try that again. How many people in here would consider themselves a hacker? All right, that was better. We'll give you a pass on that. We'll give it about a D. 60%. I'm totally going to give you the D later. Just a tip. Just to see how it feels. The mentality of a hacker is one that questions things that's curious. And if you're not curious about something, I mean, I'm not talking about a computer hacker. I'm talking about a hacker. If you're not curious about something, you're dead. And you need to be revived. And so I challenge everybody in this room that didn't raise their hand. Like I said, there was about 40% of you to wake up, get curious about something. I don't care what it is. It can be knitting. It can be underwater basket weaving. It can be computers. Just be curious about something. Learn something. That's how you get experience. If you come to me and say, hey, I've been a sys admin for five years and this is what I did and I really want to be a penetration tester, I'm going to look at you and say, cool, let's talk about your mindset. What are you curious about? What do you like to do? I like computers. Actually, I love computers. I spend a lot of my time on computers. I do electronics too. I build stuff. I build planter boxes for my wife. I do carpentry. I do all kinds of stuff because I want to learn. I want to exercise my brain. I want to keep things elastic and not get stale. You guys want to do some penetration testing? They don't pay you to sit around and do nothing. This is work. It's a job. People forget that sometimes, I think. They get going with a, hey, I'm going to be a hacker and I'm going to get to hack into things, which is true, but it's also a job. You don't get to just show up and then hack into shit and go away. It's work. I took my shirt in because I had that. I'm going to tuck it because it's hot. Is it hot in here? I'm not going to take off on my clothes. Remember, they're not paying you to do nothing. They're paying you to actually do work. We're going to talk a little bit about what that work is and what your clients are going to expect from you and what you're going to have to be able to do in order to be a penetration tester. I love the Kim Jong-il memes. They're so funny. How many of you in here think you know what a red team is? Raise your hand. I know you do. I know you do. Keep your hands raised. I'm going to call on somebody. Stand up. Shout loud. Go ahead. That's pretty good. He said a red team is a group of individuals that try to break into a company, either physical security or information security. Pretty close. I'm going to tell you the definitions differ vastly between organizations. In my line of work, in my organization, a red team is simply an unannounced assessment. Now there's more to it than that, but it just means that we're not going to tell IT we're coming when we come to penetrate them over and over and over again. A red team activity is very different than a penetration test. I kind of want to walk through some definitions here just to kind of level set what we're talking about. I'm going to start out with a vulnerability assessment. A lot of people, a lot of companies out there, big companies and I'm not going to name names. Call a penetration test, call a vulnerability assessment a penetration test. You're not actually doing a penetration test unless you're trying to actively exploit vulnerabilities. If you walk in with Nessus and map, old ones, Satan, who here knows what Satan is? Raise your hand. Yes, I love Satan. Best tool ever. I wish it still existed. Well it does, but they don't call it Satan anymore. If you walk in one of those tools, hit the button, spit out a report and hand it to your client. You did not perform a penetration test. You performed a vulnerability assessment. You could add more to it than that. You could do a threat assessment on top of that, but if you did not try to exploit the vulnerabilities that you found and try to dig deeper, you did not perform a penetration test. Penetration test, like I said, is something that you take your vulnerability assessment and you try to take it one step further. You're going to try to actually exploit the vulnerabilities. Now when you exploit those, you're going to take and see how far the rap hole goes. The rabbit hole typically goes pretty damn far. That's the fun part of this job. The boring part is sitting there waiting for the vulnerability assessments to come back. Now, red teams. Red teams are the most fun, in my opinion. They're the thing that everybody wants to do, but not everybody can do it. A red team differs largely in the aspect of a penetration test in that you are trying not to get caught. Penetration tests are loud. You're going to get caught all over the place. You're going to sit down with your client. They're going to know you're there. They're going to treat you like auditors, by the way. Do we have any auditors in the room? We have one. I'm sorry. They're going to treat you like an auditor. They're going to hide things from you. They're going to do all kinds of shit. We'll talk about that in a little bit. You really want to take it to the next level, so you want to keep digging until you can dig no more. For the red team, you're going to do that same digging. You're going to do it from outside. You're going to do it from as sneaky as possible. Whether you're breaking into something, physically you're jumping a fence, you're planting a device, you're doing social engineering. Those are the kinds of concepts that differ between a red team and a penetration test. At least in where I'm at right now. Let's talk a little bit about adaptation. How many of you guys like to plan your day? You put two hands up. I know. You really want to throw a monkey wrench in Cripp's life. Toss him something that's not going to fit in his day. He will try to make it fit and it will be funny. No. You're going to have to adapt. You're going to have to think on your feet. How many of you guys were up here for Lost Talk when he talked on Thursday? I was. He talked a little bit about, he gave this whole speech about thinking outside the box. I like to talk about non-linear thinking. You can't think in a straight line. If you think, this leads to this, leads to this, leads to this, you're never going to find everything you need to find. Oh, he's getting trashed. Nice. Okay. Well, I'm not going to wait for him because I get a limited amount of time. Okay. So, yeah. We're going to talk about adaptation. You're rolling, you know, oh. Hi. Ladies and gentlemen, Lost. I know that there's a very good reason that you're late. But I do that to everybody that comes in late to my talk. So, yeah. So 1 plus 1 might equal 5. And the reason why is because you think it equals 2, but there's 3 more things out here that the client hasn't told you about. So, really, it's not 1 plus 1. It's 1 plus 4. So you have to learn to adapt. You have to learn to sit down and be like, oh, well, so I didn't think about that. So I'm going to take a step here and then I'm going to shift. A lot of people call that a pivot. So, learn to adapt. Be flexible. Don't think linear. And I'm going to kind of spin things up a little bit because I'm going to start running out of time. So, we all like to win. How many of you guys like to win? Where's your hand? Again. Jesus. We're going to try that one more time. I'm trying to get people to wake up and get active because I realize it's early on a Sunday, or late Saturday. Is it late Saturday for you? I'm sorry. You know, I'll let you sleep. There's a nice comfortable spot up here. You can lay down behind the table and take a nap. No. We all like to win. My team especially likes to win. We like to break into things and say yes, we win. But I want to take the concept of winning out of this. Everybody needs to win. Your client needs to be as secure as possible. Your job is to come in and tell them where they're not secure. Not to come in and embarrass their siss admins. That's a bonus. I'm going to get water poisoning by the way lost. That's great. Thanks. So, yeah. So, your job isn't to embarrass the siss admins. Your job is to tell your client where they're weak and what they can do to improve. So, take winning out of the equation. You don't get to win. You get to help. You're not there to conquer the network. You're there to assess it. You're there to assist who you're there. You're there to assist your client in making themselves as secure as possible. Oh, my God, the report. How many of you like to write? Fair man. How many of you are technical writers in this room? Good. Thank you. I'm going to thank you right now. I actually, I hate to write. I hate it. It's my least favorite thing. But I do it. And I've been told I'm quite good at it. Yeah, it's a damn good thing I married an English teacher. Oh, my God. My boss told me, you shouldn't tweet without letting her look at it first. And he wasn't kidding. Seriously, she helps me a lot. She corrects my grammar a lot. She has a large red pen and I love it. Learn to write. Learn to write well. You're going to have to do it. My last report was, can you tell who I worked on it with? Cript. Cript and I wrote this report. It took us what, what, three weeks? Three and a half weeks to write? Why is it PTSD? Yeah, it was long. And it's detailed. Because again, you have a job to do. Your job is to make sure your client knows where they're weak. And so you want to outline all that. You also want to make sure that you're telling them how they can make themselves better. So the report is important. And the client. So let's talk a little bit about how you interface with your client. First thing you're going to do when you get on site is you're going to sit down and you're going to say, hey, plug me into the network. And they're going to look at you and go, are you fucking nuts? And you're going to go, no, seriously, plug me into your network. So they plug you in. And then they're going to give you this ream of paper that's about 500 pages long. Because I guess that's technically a ream, right? And they're going to say, this is the exclusion list. And it's going to have an IP address on each line for 500 pages. And you're going to look at this and go, okay, do you have this in electronic form? And they're going to go, no. Remember how I said that they're treating you like an auditor? They don't want you to get started. So your job as a penetration tester, when you come into a client is to make them feel comfortable. Does this smell like chloroform? You make them feel comfortable. And then you do what you're going to do, which is you're going to find their weaknesses. And then when you find their weaknesses, you're going to show them how to fix them. And the more you do that, the more your client will trust you, and the less that exclusion list will become a factor. Your job is to convince the client that you need to look at every single IP address on that exclusion list. And it's not because, again, you want to embarrass the sysadmins. That's a bonus, remember? Teleprompter went out. I didn't even bring my besautomizer. Oh, that's a bummer. I like messing with that. I like watching my words. Oh, well. I'm going to be like Romer. Hopefully they'll catch up to me. Fuck, fuck, fuck, fuck, fuck. Anyway. So, yeah, your job is to make the client feel comfortable. And they're going to try to change things. You know, they don't like the report. You said you hacked into this. Did you really do that? Can we say that you almost got in? We have a plan to mitigate that vulnerability. Can we just not write that in the report? What was my, what was the last one, the favorite one? Oh, yeah. Can we, if I provide you email evidence that we're working on that? Can we say that vulnerability didn't actually exist? Yeah, no. Yeah, no. That's not how, yeah. That's not how this works. I unfriend you. At least I got some laughs. Okay. They will test you, the point is. You need to be able to deal with people. You need to be able to answer questions in a diplomatic way, instead of saying, no, you're a fucking idiot. Stop that. Just don't use the word fuck. You can say, hey, you're an idiot. Stop that. Okay. I realized that was kind of a rambling talk. And I appreciate you guys sitting and listening to me. But I'm gonna give some time for some questions. And I will answer anything. If you guys have questions, just stand up and say, yeah. Right now I work for one large client. And we do all of the penetration tests for that one client. Next? Yeah. Yeah, yeah. So the question was that I said that I hire cis admins. He's like, well, what about network guys? Those two. I'm just looking for somebody with experience that can build. All right. So we're gonna, yeah, it's about time. So I'm like four minutes early. That's okay. Fine. Yeah. What do I think about? What do I think about pen testing certifications? They're all shit. No, seriously. A certification, letters after your name, that's an HR filter. Okay. You have to get past HR at some point. So you're gonna need them. I don't generally look at them. I will actually give you a test if you come to come work for me. I have a test that I give. And if you can, you know, I'm not looking for, if you can pass the test, I'm looking for how you approach the test. Right. Any others? Just stand up and start shouting. Yeah. What happens on a pen test if I come across an existing compromise? That's what we call an all stop moment. Everything stops at that point. And then we help the client troubleshoot it and do their incident response. Yeah. That's, we don't, we don't mess around with that shit. Anything else? Anybody want to? Yeah. Specific vulnerabilities in open stack. Come grab me at the bar. I will talk. Okay. Yeah, I get your question. I'm gonna rephrase it if it's okay. So the question was, what am I, you know, basically what am I actually looking for in somebody that builds systems, right? If I'm looking for a potential employee. I'm looking for somebody that has the background in building systems, whether it be operating systems, networks, switching and routing, stuff like that. Because that stuff, that level of experience is hard to teach a penetration tester. Because if you don't have that background, you're not, you're not gonna get it penetration testing. You're not gonna have that depth of something, you know, when you, when you walk in and see, oh, that switch is configured wrong, right? There are a lot of penetration testers out there that can't tell that. But I'm not gonna hire just network guys. I'm not gonna hire just sys admins. I'm gonna try to hire a breadth across the team so that we have, you know, nobody, no one, there's no one wealth of knowledge and we're not lacking some place else. That makes sense. Oh wait, stop. This is my brother-in-law. I'm not shitting you. He's a ginger. But he does have a soul. Good. My useful tool in my own mind. But we won't go into that because you're my brother-in-law. We won't talk about that. You know, I have a huge lab at home that I use a lot. And I use it to learn. I actually have a gigantic lab. And that lab is used for me. Yeah, thoughtful pause. Yeah, that lab is used, is useful for me to, to, to do my education. All right, couple more and then we'll be done. Yeah. Yeah. What kind of infrastructure do we bring into a, to an announced assessment? We actually have a server and a switch. We bring in, we use IRC to communicate between each other locally. We don't, we don't communicate outside with IRC. No, Google Docs. Lost has a question. I am a level five script kitty. No, you do, you need to learn to program in something. Python, Ruby. Ruby's a good one because you can write metasploit modules. Those are always fun. Yeah, that, that's important too. Yeah, that's a tough one. Come here. Talk to people. Seriously. He's, he, he asking how do you find pen testing job opportunities? You come here, you talk to people. You sit at the bar and, and you, you be outgoing enough to be able to, to sit down and talk with somebody about what you're doing and what you would like to do. And then, was that? Defcon groups? That's another good one. Was that? Local meetups. Yeah. Yeah. Yeah, your local meetups too are great. Those are awesome answers. All right, anything else? Yeah. So the, the question was what kind of language do we use to describe ourselves in our reviews to the site? And yeah, we, we do very similar things. We, we make softer claims. This is an assessment, for instance. It's a review. We do, we do a cybersecurity review. We don't generally do incident response. So we, we're coming in to actually do an assessment of, of the network itself. But yeah, we use, we do soften things. I'm not coming in. I'm not going to say I'm coming to, to fuck your shit up. Although sometimes I'd like to. All right. That's a crypt. Fantastic question. What's a good starting point if you've never touched a computer but we want to get here? The fundamentals. It's a tough question. Learn how the computer works. Learn how it works. Take it apart, put it back together again. It's hard to do with, you know, you know, the computers these days, but do it. Build one from scratch. Take losts, how to build a processor in 10 minutes. Watch that. That was fucking phenomenal. Seriously, it was. And, and the secret is he did that all off the cuff. Not sure you guys how smart he is. All right. Last question. Very carefully. I'm going to repeat the question. How do I repair? How do I prepare my report so it doesn't sound like an indictment against the staff? Yeah. No shit. I call my wife. We actually have a set of people that look at the reports. And so we'll write, we'll write our report. I don't go through a review board and they will tell us if we're being too harsh or not. But we just carefully select our language, you know. I'm trying to get us as an industry away from softening things too much. So I think we are too soft on our clients. You know, you can't, you can't sit here and say, well, that's a, that's a really, it's a critical vulnerability, but maybe, maybe you should take care of that, you know, you're not going to go in and say, well, that's a huge fuck up and you fucked up and you need to be fired. But you're going to go in and say, this is a critical vulnerability. You need to prioritize this in your, in your break fix system. And so, you know, you just, I think we're too soft, to be honest. And so I'm trying to get us not to soften the language as much as we soften that now. All right, guys. That's all the time I have. I will be downstairs at the end of the elevator for about 30 minutes into the escalator at the bar for about 30 minutes. If you guys want to come catch up with me. Oh, yeah. I need a drink.